Wiretapping the Internet: Who’s Responsible for What?

Lawful interception is making headlines again as federal law enforcement and national security officials are seeking new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is becoming more limited as people tend to communicate online instead of by telephone.

Officials want Congress to require all services that enable communications — including e-mail transmitters like BlackBerry, social networking web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be capable of complying if served with a wiretap order.

Requirements of the proposal will likely include:

  • Communications services that encrypt messages must have a way to unscramble them
  • Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts
  • Developers of software that enables peer-to-peer communication must redesign their service to allow interception

The Obama administration plans on submitting the proposed bill next year. In the United States, phone and broadband networks are already required to have interception capabilities, under a 1994 law called the Communications Assistance to Law Enforcement Act (CALEA.)

CALEA has yet to be applied to communication service providers because it cannot really be applied to all of them in the same way. An end-to-end supplier of a service such as RIM has complete knowledge and control of their entire system and should be capable of decrypting any encrypted traffic that they provide as part of their service. On the other hand, if all a company does is provide a conduit for data of any sort to flow between endpoints, they cannot control, based on freedom of speech rights, the data that flows. Nor will they have the underlying knowledge (at least in some cases) as to how the data is constructed, and if encrypted, how it is encrypted.

If we look at the plain old telephone system (POTS), phone service providers are subject to both court orders (for wiretapping) and CALEA, therefore they need to be equipped to provide interception capabilities. But let’s say users of a phone system decide to speak using a sophisticated, coded language that only they share. The phone system provider wouldn’t be held liable for making these conversations intelligible for law enforcement. They would merely be required to pass along the intercepted data, and then the law enforcement would have to try to decipher the code.

What if the perpetrators use POTS simply to say “get on your short wave radio so I can send you a message” and then terminate the call. This situation is very similar to the peer-to-peer communication that is used on the Internet today. This communication could quite likely be transparent to any of the equipment and data transmission paths available to several communications service providers.
But should they be held responsible for this communication?

As a communications services provider, we are responsible for intercepting, but not necessarily deciphering, data that traverses a path through our network equipment. But when a communications channel is set up that is outside of our control, like peer-to-peer, the best that can be done is to notify law enforcement that the perpetrators are communicating peer-to-peer, and then it becomes the job of law enforcement to determine how best to investigate and perhaps intercept the communication.

One thought on “Wiretapping the Internet: Who’s Responsible for What?

Leave a Reply